topic Static Nat for sending syslog messages to remote site. in Network Security

Static Nat for sending syslog messages to remote site.

mahesh18 — Tue, 12 Mar 2019 01:47:46 GMT

Hi Everyone,

IF we have two sites and each site has syslog server.

Site A

Syslog server IP 192.168.50.1

ASA 1

Site B

Syslog server IP 192.168.60.1

ASA2

for redundancy purposes ASA at each site will send all syslog messages to syslog server at its site and also to remote site.

so ASA1 will need to send syslog messages to 192.168.50.1 and 60.1.

Syslog server is at inside interface of ASA.

so need to know if we do static nat on the ASA will this we ok on ASA1 version 8.2*******

static(inside,outside) UDP 200.x.x.1 syslog 192.168.50.1 syslog

static(inside,outside) UDP 200.x.x.2 syslog 192.168.60.1 syslog

So what config should i do on ASA2 at site 2?

Also if i use public ip for each static NAT then i can not use that IP for any other NAT right?

Thanks

Mahesh

Static Nat for sending syslog messages to remote site.

Jouni Forss — Wed, 22 May 2013 19:27:44 GMT

Hi Mahesh,

So if I understood you correctly you have the following

2 sites with ASA firewalls
Both sites have their own Syslog servers
You want to send Syslogs from each ASA to its local Syslog server and also to the remote Syslog server

If this is correct then I would imagine you can use the Static PAT / Port Forward configuration on each ASA to enable the the remote site ASA to send Syslogs through the public network to the syslog server.

I would consider doing this through L2L VPN connection though so your are not sending Syslog in the public network.

This would naturally include more configurations required BUT if you want to test this setup in some lab setup then I dont see a problem with it for testing purposes. From what I remember from our previous discussions, you have been aquiring ASAs for your own test lab to learn more about the firewalls?

Are we talking abouta lab environment with this Syslog setup OR is this for a real production network?

- Jouni

Static Nat for sending syslog messages to remote site.

Jouni Forss — Wed, 22 May 2013 19:34:24 GMT

Oh,

And forgot to answer the other question.

You can use a single public IP address to both provide Internet access to LAN users with Dynamic PAT and also configure Static PAT like you have shown in your post.

These dont rule eachother out.

- Jouni

Static Nat for sending syslog messages to remote site.

mahesh18 — Wed, 22 May 2013 19:36:18 GMT

Hi Jouni,

Here i am talking about production network.

Where two sites are connected via wan link.

So the commands which i mentioned earlier are more static NAT right?

Thanks

Mahesh

Static Nat for sending syslog messages to remote site.

Jouni Forss — Wed, 22 May 2013 19:46:50 GMT

Hi,

The configuration you mentioned

static(inside,outside) UDP 200.x.x.1 syslog 192.168.50.1 syslog

static(inside,outside) UDP 200.x.x.2 syslog 192.168.60.1 syslog

Are Static PAT which in other words means Static Port Address Translation. Or even a more common name used for this type of NAT is Port Forwarding.

So if we take the 2 Static PAT configurations above

Site 1

static(inside,outside) udp 200.x.x.1 syslog 192.168.50.1 syslog

Would forward any Syslog traffic coming towards the public IP address of 200.x.x.1 to the inside IP address of 192.168.50.1

Site 2

static(inside,outside) udp 200.x.x.2 syslog 192.168.60.1 syslog

Would forward any Syslog traffic coming towards the public IP address of 200.x.x.2 to the inside IP address of 192.168.60.1

The above coupled with the needed ACLs on each sites "outside" interfaces would allow you to send Syslog from one site to the Syslog server on the other site. Naturally you also need the "logging" configurations so that the ASA knows where to send the Syslogs.

But I would again have to say that I would personally rather transfer this Syslog traffic through a L2L VPN connection between the sites so the Syslogs wouldnt be visible to anyone else on the public network.

- Jouni

Re: Static Nat for sending syslog messages to remote site.

mahesh18 — Wed, 22 May 2013 20:17:46 GMT

Hi Jouni,

If i config below on Site 1 ASA

static(inside,outside) UDP 200.x.x.1 syslog 192.168.50.1 syslog

static(inside,outside) UDP 200.x.x.2 syslog 192.168.60.1 syslog

Need to confirm below

So this will forward the traffic coming from Site 2 to site 1 ?

Site 2

static(inside,outside) UDP 200.x.x.3 syslog 192.168.50.1 syslog

static(inside,outside) UDP 200.x.x.4 syslog 192.168.60.1 syslog

This will forward the traffic coming from site 1 to site 2 right?

Also need to know i read that static NAT is bidirectional .

So this static PAT is also bidirectional?

also we have vpn connection between 2 sites.

Thanks

Mahesh

Static Nat for sending syslog messages to remote site.

Jouni Forss — Wed, 22 May 2013 20:29:30 GMT

Hi,

You dont need 2 Static PAT configurations on both sites. You just need a single Static PAT configuration on each site to enable the local Syslog server to be reached through the Internet.

So if Site 1 has a Syslog server with the IP address of 192.168.50.1 then you configure a Static PAT configuration for that on its local firewall and if the Site 2 has a Syslog server with the IP address of 192.168.60.1 then you configure a Static PAT configuration for that on its local firewall

Are you using the "outside" interface IP address on each site OR do you have spare public IP addresses that can be used only for the Syslog servers?

If you only have the single public IP address of the ASA "outside" interface then you have to use Static PAT. If you have spare IP addresses then you can use Static NAT

Static PAT using the "outside" interface IP address would be configured with

Site 1

static (inside,outside) udp interface syslog 192.168.50.1 syslog netmask 255.255.255.255

Site 2

static (inside,outside) udp interface syslog 192.168.60.1 syslog netmask 255.255.255.255

I think you should probably try sending some logs through the Internet first and when that is working correctly then it will be easier to handle the L2L VPN configurations to support sending the logs through the VPN connection.

With regards to the bidirectionality of the NAT. Notice that we are talking about UDP and sending Syslogs. The other ASA will send Syslogs through the other ASA to the Syslog server there. The UDP traffic only has to go through the remote site ASA and since we are talking about UDP traffic there is no bidirectional traffic in Syslogs case. The Syslog server doesnt need to send anything to the ASA (to my knowledge atleast)

The Static PAT should work just fine for you. As I said, if you have spare public IP address that we can dedicate for each Syslog server on each site THEN you can also use Static NAT.

- Jouni

Static Nat for sending syslog messages to remote site.

mahesh18 — Wed, 22 May 2013 21:03:44 GMT

Hi Jouni,

We have Public IP to be used for syslog server.

Also if i config say each line on each site

Site A

static (inside,outside) udp 200.x.x.x syslog 192.168.50.1 syslog netmask 255.255.255.255.

how will syslog message from site A devices will go to syslog server at site B?

Thanks

Mahesh

Static Nat for sending syslog messages to remote site.

Jouni Forss — Wed, 22 May 2013 21:17:10 GMT

Hi,

Ok, so you say that you have a spare public IP address to be dedicated to ONLY be used for the Syslog server then you can configure Static NAT instead of Static PAT

So the Static NAT configuration would be

static (inside,outside) 200.x.x.x 192.168.50.1 netmask 255.255.255.255

Then you would have to have an ACL rule permitting the inbound Syslog traffic from the remote site

access-list OUTSIDE-IN permit udp host y.y.y.y host 200.x.x.x eq syslog

Where

y.y.y.y = Is the public IP address of the remote site ASA. The remote ASA will use its "outside" interface IP address as the source for the syslog messages it sends.
200.x.x.x = Is the public IP address used for the Syslog server Static NAT

Presuming ofcourse your current "outside" interface ACL is named OUTSIDE-IN. You naturally use the name of the ACL you have in use.

So the above are the configurations on Site A. This enable Site B ASA to send Syslogs to server at Site A.

For the same to work for Syslogs from Site A ASA to Site B Syslog server you need configurations on Site B ASA also.

static (inside,outside) 200.x.x.x 192.168.60.1 netmask 255.255.255.255

access-list OUTSIDE-IN permit udp host y.y.y.y host 200.x.x.x eq syslog

Where

y.y.y.y = Is the public IP address of the remote site ASA. The remote ASA will use its "outside" interface IP address as the source for the syslog messages it sends.
200.x.x.x = Is the public IP address used for the Syslog server Static NAT

- Jouni

Re: Static Nat for sending syslog messages to remote site.

mahesh18 — Thu, 23 May 2013 03:55:42 GMT

Hi Jouni,

The setup which we have here has different public IP at site A and B

For site A

static (inside,outside) 200.x.x.2 192.168.50.1 netmask 255.255.255.255

Site B

static (inside,outside) 200.x.x.3 192.168.60.1 netmask 255.255.255.

So i mean to say that Public IPs are different at both the sites.

Is this possible?

Thanks

MAhesh

Static Nat for sending syslog messages to remote site.

Jouni Forss — Thu, 23 May 2013 06:37:14 GMT

Hi Mahesh,

Yes, ofcourse the public IP addresses are different on the sites. I guess I could have changed the IP addresses a bit in the configuration commands I mentioned. For example 200.x.x.x and 200.y.y.y.

So as I said it would probably be best that you first configure the Static NAT (as you seem to have spare public IP address that you can dedicate to the Syslog server on each site) and configure ACLs that allow the traffic from the other ASAs public IP address.

When the NAT and ACL are configured correctly then you could try adding the "logging" configurations and start confirming that Syslogs from each site arrive to the remote site Syslog server.

When you have confirmed that this configuration is working correctly THEN we could temporarily remove the logging to the remote site and start looking at the L2L VPN configurations required so that you have move the Syslog traffic to the L2L VPN between the 2 sites that you say already existed. So one step at a time.

Do you have enough information to configure the Static NAT for the Syslog server on each site?

When the NAT and ACL are done you should be able to use the command

logging host outside

The ASA might give a warning about the "security-level" value of the interface "outside" but this is to be expected as the ASA warns you that you are about to send Syslog information through an interface behind which the network is not secured by the ASA and in a sense secured.

- Jouni

Static Nat for sending syslog messages to remote site.

mahesh18 — Thu, 23 May 2013 16:49:17 GMT

Hi Jouni,

I have send you message please read.

Thanks

Mahesh

Static Nat for sending syslog messages to remote site.

Jouni Forss — Thu, 23 May 2013 16:51:21 GMT

Hi Mahesh,

I will answer here on the forums to your message.

The "logging" command you posted were a bit wrong.

The reason is that the other server is local and is naturally located on the "inside" BUT the other remote site Syslog server would need the interface set to "outside" as its located behind that interface.

My intention was to first get your NAT, ACL and Logging configurations in order for you to be confirm through Internet that the logs were arriving at the remote site server.

As soon as that is working you can temporarily disable the syslog sending to the remote site through "outside" and THEN we can start looking into adding the L2L VPN related configurations so you can have the ASAs send that syslog information to the remote site through a protected L2L VPN Connections.

I just try to keep the configurations changes as simple as possible and confirm that the basics are working before trying something more complicated.

- Jouni

Static Nat for sending syslog messages to remote site.

Jouni Forss — Thu, 23 May 2013 16:52:15 GMT

Also,

On each ASA you will ofcourse have to use the Remote Syslog server public NAT IP address in the "logging" command.

- Jouni

Static Nat for sending syslog messages to remote site.

Jouni Forss — Thu, 23 May 2013 17:44:15 GMT

Hi,

The IP addresses you mention in the message sent through the forums might be configured with Static NAT so you should look through your "show run static" on the ASA to find the translations

Or you have use "show run static | inc x.x.x.x" where the "x.x.x.x" is the public IP address

- Jouni

Static Nat for sending syslog messages to remote site.

Jouni Forss — Thu, 23 May 2013 17:52:37 GMT

Hi Mahesh,

You should really try to post the answers and questions here on the discussion. It gets quite confusing reading the information on 2 different places.

So if I should suggest you which steps to take regarding this Syslog setup configuration

Determine if the Syslog server on either side has a Static NAT or Static PAT configuration
- Use the command "show xlate | inc "
- On one site insert its local IP address and on the other site its syslog servers local IP address
If you dont see any existing NAT configurations for these Syslog servers then determine if you have spare public IP addresses available that ARE NOT in any kind of use at the moment
Configure typical Static NAT using the Syslog server local IP address and the spare public IP address on each site. So one Static NAT per site.
On each site configure the "outside" ACL so that it allows Syslog traffic sourced from the Remote Sites ASAs "outside" interface IP address
Configure the "logging host outside " to enable logging to the remote syslog server
When the configurations are done, determine if the remote sites ASAs logs are arriving to the other sites Syslog server. Do this on both sites.
If it doesnt work, then you have to troubleshoot and determine that the ASA is actually trying to send the syslog traffic and that the remote ASA is allowing this syslog connectiong through
If things work, then we can look at changing this syslog information to go through a L2L VPN connection.

- Jouni

Static Nat for sending syslog messages to remote site.

mahesh18 — Thu, 23 May 2013 17:54:14 GMT

Hi Jouni,

When i do sh run static | inc public ip

it shows that it is statically mapped to syslog server at remote and local site.

So need to understand this that we use couple of public ip got from isp and map them to internal syslog servers right?

so this setup is just for logging logs from edge device to syslog right ?

so it does not log message to remote syslog server right?

Thanks

mahesh

Re: Static Nat for sending syslog messages to remote site.

Jouni Forss — Thu, 23 May 2013 18:10:12 GMT

Hi,

So you are saying that both sites ASAs have Static NAT for the the sites Syslog server? If this is correct then the Syslog server can be reached from the Internet.

After this you would have to create an ACL rule on the "outside" interface ACL to allow syslog traffic from the remote sites ASAs "outside" interface IP address to the local syslog server public IP address. You would configure ACL rules on both sites to allow the other sites ASA to send Syslog to the public IP address of that sites Syslog server.

When that is done you could enable syslogging on each sites ASA (towards the other sites syslog server)

logging host outside

And if everything is fine, you should be able getting syslog messages from both ASA to both Syslog servers

And as I said before, after we confirm that the logs are going through from each site to the other then we could move this traffic to a L2L VPN connection.

In short these very first steps purpose is to

Make sure that both sites have public IP address for the server configured
Confirm that both sites have an ACL rule that allow the syslog messages coming from the other site
Configure each ASA to send syslogs through the "outside" interface also to the other sites syslog server
Eventually move this traffic to the L2L VPN between the sites

- Jouni

Static Nat for sending syslog messages to remote site.

mahesh18 — Fri, 24 May 2013 04:44:51 GMT

Hi Jouni,

I have tested the syslog connection of both sites via the internet.

I am doing this as we have to replace the existing syslog servers thats why i have to do the setup again.

Its a new setup now with New IP addresses.

Earlier syslog messages to remote site were going Via GRE -- over IPSEC.

Currently both site are sending syslog messages to each other via the internet.

This has been tested.

Now i need to send the syslog messages internaly over the GRE tunnel.

GRE tunnel goes via IPsec between two sites.

I have changed logging host from outside to inside as traffic needs to go via IPSEC now.

I know the Router which has GRE tunnel and the destination IP of tunnel goes via IPSEC.

Need to know what step i should take on this ASA so that traffic goes via GRE tunnel?

Should i define static route on ASA that to reach syslog server at each remote site we should go to Router which has GRE tunnel configured?

like route inside 192.168.60.1 255.255.255.0 ?

Going to sleep now.

Thanks

Mahesh

Static Nat for sending syslog messages to remote site.

Jouni Forss — Fri, 24 May 2013 05:31:25 GMT

Hi Mahesh,

I had no idea that you have a L2L VPN/GRE connection through some other routers in the network. I presumed that you had a L2L VPN connection between the ASA firewalls directly. This again naturally changes the setup completely.

Does each of your ASA have a route towards the remote syslog server yet? Are you perhaps running dynamic routing between the sites as you are using IPsec + GRE?

What is the IP address/network of the interface of the ASA that has the route (or will have the route after configured) for the remote sites syslog server?

Basically you should first confirm that each site has a route towards the other sites syslog server network. You would also have to confirm that each site as a route for the network that is connected to the ASA interface from which you want to send the syslogs to the other site.

You should be able to use the "show route" command on the ASAs and "show ip route" command on the router side to determine if the routing information needed is already there. If not, then some additions to the routing have to be made for each ASA to be able to send syslog to the other side.

- Jouni